Skip to content

Instantly share code, notes, and snippets.

Last active March 21, 2024 05:49
Show Gist options
  • Save philholden/50120652bfe0498958fd5926694ba354 to your computer and use it in GitHub Desktop.
Save philholden/50120652bfe0498958fd5926694ba354 to your computer and use it in GitHub Desktop.
// paste in console of any https site to run (e.g. this page)
// sample arguments for registration
var createCredentialDefaultArgs = {
publicKey: {
// Relying Party (a.k.a. - Service):
rp: {
name: "Acme"
// User:
user: {
id: new Uint8Array(16),
name: "",
displayName: "John P. Smith"
pubKeyCredParams: [{
type: "public-key",
alg: -7
attestation: "direct",
timeout: 60000,
challenge: new Uint8Array([ // must be a cryptographically random number sent from a server
0x8C, 0x0A, 0x26, 0xFF, 0x22, 0x91, 0xC1, 0xE9, 0xB9, 0x4E, 0x2E, 0x17, 0x1A, 0x98, 0x6A, 0x73,
0x71, 0x9D, 0x43, 0x48, 0xD5, 0xA7, 0x6A, 0x15, 0x7E, 0x38, 0x94, 0x52, 0x77, 0x97, 0x0F, 0xEF
// sample arguments for login
var getCredentialDefaultArgs = {
publicKey: {
timeout: 60000,
// allowCredentials: [newCredential] // see below
challenge: new Uint8Array([ // must be a cryptographically random number sent from a server
0x79, 0x50, 0x68, 0x71, 0xDA, 0xEE, 0xEE, 0xB9, 0x94, 0xC3, 0xC2, 0x15, 0x67, 0x65, 0x26, 0x22,
0xE3, 0xF3, 0xAB, 0x3B, 0x78, 0x2E, 0xD5, 0x6F, 0x81, 0x26, 0xE2, 0xA6, 0x01, 0x7D, 0x74, 0x50
// register / create a new credential
var cred = await navigator.credentials.create(createCredentialDefaultArgs)
console.log("NEW CREDENTIAL", cred);
// normally the credential IDs available for an account would come from a server
// but we can just copy them from above...
var idList = [{
id: cred.rawId,
transports: ["usb", "nfc", "ble"],
type: "public-key"
getCredentialDefaultArgs.publicKey.allowCredentials = idList;
var assertation = await navigator.credentials.get(getCredentialDefaultArgs);
console.log("ASSERTION", assertation);
// verify signature on server
var signature = await assertation.response.signature;
console.log("SIGNATURE", signature)
var clientDataJSON = await assertation.response.clientDataJSON;
console.log("clientDataJSON", clientDataJSON)
var authenticatorData = new Uint8Array(await assertation.response.authenticatorData);
console.log("authenticatorData", authenticatorData)
var clientDataHash = new Uint8Array(await crypto.subtle.digest("SHA-256", clientDataJSON));
console.log("clientDataHash", clientDataHash)
// concat authenticatorData and clientDataHash
var signedData = new Uint8Array(authenticatorData.length + clientDataHash.length);
signedData.set(clientDataHash, authenticatorData.length);
console.log("signedData", signedData)
// import key
var key = await crypto.subtle.importKey(
// The getPublicKey() operation thus returns the credential public key as a SubjectPublicKeyInfo. See:
// crypto.subtle can import the spki format:
"spki", // "spki" Simple Public Key Infrastructure rfc2692
// these are the algorithm options
// await cred.response.getPublicKeyAlgorithm() // returns -7
// -7 is ES256 with P-256 // search -7 in
// the W3C webcrypto docs:
// (scroll down a bit)
// ES256 corrisponds with the following AlgorithmIdentifier:
name: "ECDSA",
namedCurve: "P-256",
hash: { name: "SHA-256" }
false, //whether the key is extractable (i.e. can be used in exportKey)
["verify"] //"verify" for public key import, "sign" for private key imports
// check signature with public key and signed data
var verified = await crypto.subtle.verify(
{ name: "ECDSA", namedCurve: "P-256", hash: { name: "SHA-256" } },
// verified is false I want it to be true
console.log('verified', verified)
Copy link

dagnelies commented Nov 23, 2022

🎉 Poah, that was a tough nut to crack!

Moreover, I would like to emphasise that whether the signature is ASN.1 wrapped or not depends on the algorithm used according to the spec

6.5.6. Signature Formats for Packed Attestation, FIDO U2F Attestation, and Assertion Signatures

[...] For COSEAlgorithmIdentifier -7 (ES256) [...] the sig value MUST be encoded as an ASN.1 [...]
[...] For COSEAlgorithmIdentifier -257 (RS256) [...] The signature is not ASN.1 wrapped.
[...] For COSEAlgorithmIdentifier -37 (PS256) [...] The signature is not ASN.1 wrapped.

What about the -8 algo that is also recommended? ASN.1 wrapped or not? I guess that's simply missing in the specs right now. ;)

Copy link

emlun commented Nov 23, 2022 via email

Copy link

Sure @emlun , here you go: w3c/webauthn#1829

Copy link

And one more thing, I made a tool to verify / validate webauthn signatures:
Just scroll at the bottom and you can input your base64 encoded raw values. Maybe this is helpful for someone.

Copy link

mmv08 commented Jan 10, 2024

Thanks! It took me ages to figure out how to decode the public key from getPublicKey(). You're truly a legend.

Copy link

Big shoutout to @philholden for bringing up the topic! 🙌
And a massive thanks to @emlun for cracking the code like a boss! 🚀
You guys rock!

Copy link

sarvagnakadiya commented Jan 31, 2024

Have you guys checked this webauthn' verification

const signatureIsValid = storedCredential.publicKey.verify(
    signature, signedData);

I tried it, but it was saying verify function not found.

if you guys know how to use this function properly will be a great help!

I tried like this

//setting up public key onto useState after creating
 const credential = await navigator.credentials.create({
        publicKey: publicKeyCredentialCreationOptions,

and now verifying:

try {
      const assertion = await navigator.credentials.get({
        publicKey: {
          challenge: Uint8Array.from("randomStringFromServer", (c) =>
          rpId: "localhost",
        mediation: "optional",


      console.log("authenticator:", assertion.response.authenticatorData);
      console.log("client:", assertion.response.clientDataJSON);

      const authenticatorDataBytes = assertion.response.authenticatorData;

      var hashedClientDataJSON = new Uint8Array(
        await crypto.subtle.digest("SHA-256", assertion.response.clientDataJSON)
      console.log("clientDataHash", hashedClientDataJSON);

      const signedData = authenticatorDataBytes + hashedClientDataJSON;

      const signatureIsValid = pubKeyObj.verify(


      if (signatureIsValid) {
        return "Hooray! User is authenticated! 🎉";
      } else {
        return "Verification failed. 😭";
    } catch (error) {
      console.error("Error during login:", error);
      return "Error during login.";

but it says:

Error during login: TypeError: pubKeyObj.verify is not a function
    at signIn

Copy link

getify commented Mar 9, 2024

Thank you for this thread! Was the only way I found to solve the problem I was facing!

I was just a bit nervous about the lower-level code and wanted a bit more assurances from using a quality/compliant ASN.1 parser.

I just wanted to report that I found a reasonably sized, and capable for this task, ASN.1 parser lib (in JS): It's only 7k minified (and gzips to ~2.5k), and comes in UMD/CJS format so it will work in a lot of environments including even somewhat older browsers and older Node instances.

So instead of the above code (adapted into):

function parseSignature(sig) {
   var usignature = new Uint8Array(sig);
   var rStart = usignature[4] === 0 ? 5 : 4;
   var rEnd = rStart + 32;
   var sStart = usignature[rEnd + 2] === 0 ? rEnd + 3 : rEnd + 2;
   var r = usignature.slice(rStart, rEnd);
   var s = usignature.slice(sStart);
   return new Uint8Array([...r, ...s]);

I was able to use the library like this:

function parseSignature(sig) {
   var der = ASN1.parseVerbose(new Uint8Array(sig));
   return new Uint8Array([ ...der.children[0].value, ...der.children[1].value, ]);

Perhaps that helps others who land here.

Copy link

philholden commented Mar 9, 2024 via email

Copy link

@getify Pay attention that depending on the algorithm used by the credential, the signature may or may not be ASN.1 wrapped!

Moreover, I would like to emphasise that whether the signature is ASN.1 wrapped or not depends on the algorithm used according to the spec

6.5.6. Signature Formats for Packed Attestation, FIDO U2F Attestation, and Assertion Signatures
[...] For COSEAlgorithmIdentifier -7 (ES256) [...] the sig value MUST be encoded as an ASN.1 [...]
[...] For COSEAlgorithmIdentifier -257 (RS256) [...] The signature is not ASN.1 wrapped.
[...] For COSEAlgorithmIdentifier -37 (PS256) [...] The signature is not ASN.1 wrapped.

What about the -8 algo that is also recommended? ASN.1 wrapped or not? I guess that's simply missing in the specs right now. ;)

I recommend using a lib like mine to avoid such issues: , you can also verify signatures there.

Copy link

getify commented Mar 10, 2024

the signature may or may not be ASN.1 wrapped!

yep... that's true. the spec basically says that -7 (ECDSA P-256) is the only one that's wrapped, and it says that other algorithms "should not" be wrapped. so I only call that function on that specific algorithm.

Copy link

getify commented Mar 12, 2024


I recommend using a lib like mine

Your lib is great, and quite comprehensive. I've been working on a smaller lib for a more narrow purpose (and I link to yours as an alternative option):

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment